Cyber insurance is one of the fastest-growing segments in the insurance market. Swiss Re estimates global premium volume for 2025 at over 14 billion US dollars. For Swiss SMEs, the question is: is a cyber policy worthwhile — and what does it actually entail?
What Cyber Insurance Covers
Most cyber policies cover the direct consequences of a security incident. The specific benefits vary by provider and tariff, but the core coverage is similar across most products.
- Incident Response and Forensics: Costs for investigating the incident, identifying attack vectors, and containing the damage. Many insurers work with dedicated IR service providers.
- Business Interruption: Lost revenue during downtime — often the single largest cost item in ransomware attacks.
- Data Recovery: Costs for restoring systems and data from backups or through rebuilding.
- Legal Costs and Fines: Legal fees, regulatory proceedings, and potential fines under the GDPR or the Swiss nFADP.
- Notification Costs: The nFADP requires reporting data security breaches to the FDPIC. With thousands of affected customers, costs add up quickly.
- Ransom Payments: Increasingly controversial. Some insurers such as AXA France have temporarily excluded ransomware payments from their coverage. The trend is towards restriction.
- Crisis Communication: PR advisory and customer communication following an incident.
What Is Not Covered
The exclusions are at least as important as the coverage. This is where many claims fail.
- Known Vulnerabilities: Anyone who ignores a critical security vulnerability for months and then gets attacked has a problem. Insurers check whether a patch was available at the time of the attack.
- War and State-Sponsored Attacks: Since 2023, Lloyd’s of London has required explicit war exclusion clauses in all cyber policies. NotPetya in 2017 led to litigation worth billions precisely over this issue.
- Inadequate Basic Security: Anyone who fails to maintain the contractually agreed security measures risks having their claim denied.
- Long-Term Reputational Damage: Customer loss over months and years following a breach is not insurable.
- Improvement Costs: The costs of upgrading security after an incident — new firewalls, better segmentation — are not covered by insurance.
- Intellectual Property Theft: The value of stolen trade secrets or engineering plans is difficult to quantify and usually excluded.
What Insurers Require Before Signing a Policy
The days when a questionnaire with ten questions was sufficient for a cyber policy are over. Insurers have learnt from the losses of recent years and now impose specific technical requirements.
- Multi-Factor Authentication (MFA): Mandatory for all remote access, VPN, email, and admin accounts. Without MFA, most providers will no longer issue a policy.
- Backups: Regular, tested, offline, or immutable. A backup that gets encrypted alongside the rest during a ransomware attack is worthless.
- Endpoint Detection and Response (EDR): Traditional antivirus is no longer sufficient. Insurers require modern EDR solutions on all endpoints and servers.
- Patch Management: A documented process for the timely installation of security updates. Critical patches within 14 days.
- Security Awareness Training: Verifiable employee training, ideally including phishing simulations.
- Incident Response Plan: A documented emergency plan that is regularly rehearsed.
- Penetration Testing: An increasing number of insurers require regular penetration tests as a prerequisite — or offer premium discounts for organisations that can demonstrate them.
The Cyber Insurance Paradox
There is a certain irony here: a company that consistently implements all insurer requirements — MFA, EDR, backups, patching, training, penetration tests — has already massively reduced its risk. The probability of a successful attack drops significantly. Nevertheless, cyber insurance remains worthwhile: even with good security, there is no hundred per cent guarantee, and the financial consequences of an incident can be existentially threatening.
Swiss Context
The Swiss Insurance Association (SIA) has published guidelines for cyber insurance that serve as a reference for the Swiss market. FINMA supervises insurers and is increasingly focusing on risk modelling in the cyber domain. With the revised Federal Act on Data Protection (nFADP), in force since September 2023, reporting obligations have become stricter — another reason why cyber insurance is becoming more relevant for SMEs.
The key perspective is this: cyber insurance is a safety net, not a substitute for security. Anyone who relies on their policy but neglects the fundamentals will face an unpleasant surprise when a claim arises.
How Zerberos Can Help
Many of the technical requirements that insurers impose can be met through targeted security measures. Zerberos conducts penetration tests and security audits that not only uncover vulnerabilities but also serve as evidence for insurers. Numerous providers offer premium discounts for companies that can demonstrate regular penetration tests. Our risk assessments also help to realistically evaluate your own security posture — a prerequisite for making the right insurance decision.
Contact us for a no-obligation consultation.
Sources
- Swiss Re Institute — Cyber Insurance: Strengthening Resilience (2024)
- Munich Re — Cyber Insurance: Risks and Trends (2024)
- Lloyd’s Market Association — Cyber War and Cyber Operation Exclusions (2023)
- Swiss Insurance Association (SIA) — Cyber Insurance Guidelines
- FINMA — Supervisory Communications on Cyber Resilience
- FDPIC — New Federal Act on Data Protection (nFADP), in force since 1 September 2023